Focus

Use XFF Values for Policies and Logging Source Users

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Identify Users Connected through a Proxy Server

Use the IP Address in the XFF Header to Troubleshoot Events

Use XFF Values for Policies and Logging Source Users

You can configure the firewall map the IP address in the XFF header to a username using User-ID so that you can have visibility into and user-based policy control over the web traffic of users behind a proxy server who cannot otherwise be identified. In order to map the IP addresses from the XFF headers to usernames, you must first Enable User-ID.

Enabling the firewall to use the X-Forwarded-For headers to perform user mapping does not enable the firewall to use the client IP address in the XFF header as the source address in the logs; the logs still display the proxy server IP address as the source address. However, to simplify the debugging and troubleshooting process you can configure the firewall to Add XFF Values to URL Filtering Logs to display the client IP address from the XFF header in the URL Filtering logs.

To ensure that attackers can’t read and exploit the XFF values in web request packets that exit the firewall to retrieve content from an external server, you can also configure the firewall to strip the XFF values from outgoing packets.

These options are not mutually exclusive: if you configure both, the firewall zeroes out XFF values only after using them in policy enforcement and logging.

Enable the firewall to use XFF values in policies and in the source user fields of logs.

Select

Device

Setup

Content-ID

and edit the X-Forwarded-For Headers settings.

Select

Use X-Forwarded-For Header in User-ID

Remove XFF values from outgoing web requests.

Select

Strip X-Forwarded-For Header

Click

and

Commit

Verify the firewall is populating the source user fields of logs.

Select a log type that has a source user field (for example,

Monitor

Logs

Traffic

Verify that the Source User column displays the usernames of users who access web applications.

Identify Users Connected through a Proxy Server

Use the IP Address in the XFF Header to Troubleshoot Events

Next-Generation Firewall Docs

Use XFF Values for Policies and Logging Source Users

Next-Generation Firewall Docs

Use XFF Values for Policies and Logging Source Users

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner